Audits FAQ

Why was my department selected for an audit?

The Office of Audit, Risk, and Compliance is an independent adviser to Ohio University's administration and Board of Trustees (Board). We are charged with providing an independent, objective assessment of University operations to determine if management is taking the necessary steps to provide assurance that resources are managed effectively and in accordance with all applicable rules, regulations, and procedures. Our annual audit plan is approved by the Board. It begins with a risk assessment to determine where the greatest risk exist. Input is included from the Board, University administration, and the Office of Audit, Risk, and Compliance Staff.

What if it isn't a good time for an audit?

If there are extenuating circumstances we will work with you to find a more appropriate time.

What do I need to do to prepare for an audit?

Minimal preparation is required. At the beginning of the audit, The Chief Audit Executive will reach out to management and provide a summary of standard audit procedures and documents that may be needed.

How can I benefit from an audit?

Internal audit reviews can help you determine whether there are appropriate internal controls over your administrative processes and systems. We may also be able to show you ways to improve the efficiency and effectiveness of your operations.

What will the auditors examine?

Ohio University must comply with a variety of federal and state laws, grant requirements, and policies all of which include rules and standards. We will review compliance with those pertinent to the department along with any departmental policies and procedures. Ohio University policies can be found on the policy website.

What about the confidentiality of information retained by our department?

Internal Auditors have access to all records and assets of the University, and we know we have an obligation to maintain the confidentiality of that information. Our charter states that:

  • "Documents and information given to Internal Auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them.
  • It is understood that certain University items are confidential in nature and the Internal Auditors will make special arrangements when examining and reporting upon such items."

 

We have several options for working with, and potentially storing, sensitive data such that your compliance with confidentiality requirements will be preserved and the information will be protected. All of our auditors, including student auditors, receive specific instruction on confidentiality requirements and all Internal Auditors sign confidentiality agreements.

What are common audit findings?
  • (Financial) Compliance with the PCard and Travel Policies
  • (Financial) Compliance with the Cash Handling Policy
  • (IT) Software Updates for Workstations
  • (IT) Access Control Issues
  • (IT) Information Security Training
  • (IT) Protection of Sensitive Data
Why won't you tell me exactly how to resolve a finding?

We report to the Board of Trustees as advisers. We are not part of management and are not permitted to specify solutions. We are only allowed to consult, which means we can provide advice regarding the implementation of controls. Our work with other clients may give us some perspective on what has worked for others. We may also know of potential solutions that are available to you from other Ohio University departments. But ultimately the authority and responsibility for all decisions for a solution belong to management, not the Office of Audit, Risk, and Compliance.

What if I disagree with a finding in our report?

The process should assure there are no disagreements between your department and the Office of Audit, Risk, and Compliance. You will have multiple opportunities to discuss potential findings and influence the final report.

Nobody wants an incorrect or overstated finding to be sent to the Board of Trustees for it creates unnecessary work for everyone plus damages our credibility. We recognize that your expertise in your subject area is going to be deeper and more comprehensive than ours. If we have failed to take something important into account, by all means work with us so that our conclusions are relevant, accurate, and fair.

Who gets copies of the audit reports?

Draft reports will be distributed to those employees with responsibility for replying to the report, as agreed during the entrance conference. Final audit reports will be distributed to the relevant administrators of the area audited and made available to the Board of Trustees, President, Provost, Deans, and many Vice Presidents. The Auditor of State, and any external auditors they have retained, may request and receive copies of any and all audit reports.

What happens after a report is issued?

Follow-up audits are scheduled based on the corrective action planned by management.